ICO consultation on the draft updated data 
sharing code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data have 
high data protection standards, sharing data in ways that are fair, transparent 
and accountable. We also want organisations to be confident when dealing with 
data sharing matters, so individuals can be confident their data has been 
shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating our 
data sharing code of practice, which was published in 2011. We are now 
seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data protection 
legislation where these changes are relevant to data sharing. It addresses 
many aspects of the new legislation including transparency, lawful bases for 
processing, the new accountability principle and the requirement to record 
processing activities. 


The draft updated code continues to provide practical guidance in relation to 
data sharing and promotes good practice in the sharing of personal data. It 
also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the publication of 
the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call for 
views in August 2018. You can view a summary of the responses and some of 
the individual responses here. 


If you wish to make any comments not covered by the questions in the survey, 
or you have any general queries about the consultation, please email us at 
datasharingcode@ico.org.uk 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where the 
respondent indicates that they are an individual acting in a private capacity 
(e.g. a member of the public). All responses from organisations and individuals 
responding in a professional capacity will be published. We will remove email 
addresses and telephone numbers from these responses; but apart from this, 
we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Please note that we are using the platform Snap Surveys to gather this 
information. Any data collected by Snap Surveys for ICO is stored on UK 
servers. You can read their Privacy Policy. 


Qi Does the updated code adequately explain and advise on the new aspects of 
data protection legislation which are relevant to data sharing? 


O Yes 
© No 


Q2 If not, please specify where improvements could be made. 


It's unclear about how data should be transferred - e.g. Let's say a client is sending 
marketing contacts to their agency, should that be sent via email? Should it be password 


protected? As much as it says "adequate risk assessment" you have to specify what you 
consider to be an adequate risk assessment. 


Q3 Does the draft code cover the right issues about data sharing? 
© Yes 
O No 


Q4 


Q5 


Q6 


Q7 


If no, what other issues would you like to be covered in it? 


Does the draft code contain the right level of detail? 
O Yes 
© No 


If no, in what areas should there be more detail within the draft code? 


We were told there was a question of DPO's being required for articles of data over 5,000 per year being 
processed. This is extremely low, especially for small businesses. | don't see any mention of this... 
There's very little info for small businesses 


Has the draft code sufficiently addressed new areas or developments in data 


protection that are having an impact on your organisation’s data sharing 
practices? 


O Yes 
© No 


Q8 Ifno, please specify what areas are not being addressed, or not being 
addressed in enough detail. 


Good data practice involves storing data securely on different continents - this hasn't really been 


addressed by the code. Again, we need more guidance rather than "adequate risk assessment" on a 
practical basis. 


Q9 Does the draft code provide enough clarity on good practice in data sharing? 
O Yes 
© No 


Q10 If no, please indicate the section(s) of the draft code which could be improved, 
and what can be done to make the section(s) clearer. 


As above - more practical examples of how data should be shared by small businesses safely. 


Qiii Does the draft code strike the right balance between recognising the benefits of 
sharing data and the need to protect it? 


© Yes 
© No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios relevant to 


Q14 


your organisation? 


O Yes 
© No 


Please provide any further comments or suggestions you may have about the 
draft code. 


Very few examples of small business sharing - realistically big businesses are going to have 
consultants and specialist advisors who can make sure they comply so this document is 
mainly going to be used by small businesses. 


Q15 To what extent do you agree that the draft code is clear and easy to 
understand? 


© Strongly agree 

© Agree 

©) Neither agree nor disagree 
© Disagree 

© Strongly disagree 


Q16 Are you answering as: 


O An individual acting in a private capacity (e.g. someone providing their 
views as a member of the public of the public) 


© An individual acting in a professional capacity 
© On behalf of an organisation 
© Other 


Q17 Please specify 
Q18 Please specify 
Society of Virtual Assistants 


Q19 Please specify 


Thank you for taking the time to share your views and experience. 


